BTH News 10July2020
This Week In Cybersecurity
This week on Between the Hacks, billions of leaked credentials found on the dark web, home routers found to be vulnerable, Instagram star extradited to the U.S. to face charges for BEC attacks, more news about clipboard snooping and The Internet’s Own Boy.
Billions of Leaked Credentials Available on the Dark Web
Over 15 billion online credentials from more than 100,000 data breaches were discovered on the dark web according to a report by The Photon Research Team.
The researchers, “identified a large number of these credentials, ranging from account compromise (think Netflix) to complete network compromise, used in ransomware attacks. The prices for the latter would go for an average of $3,139 and up to $140,000” reports Bitdefender.
Of the 15 billion credentials discovered, about 1/3 of them were unique.
Home Routers Are Vulnerable
Home network security is an often written-about topic on Between The Hacks and with so many people working from home during the COVID-19 pandemic, it is a much more important topic than it was six months ago. Why? Because the weaknesses in home routers are giving attackers a fresh new vector with which to attack businesses.
According to the Home Router Security Report 2020, of the 127 consumer-grade routers that were tested, none of them were without flaws. Forty-six routers had not received updates within the past year and one had not received updates in more than five years. “Many routers are affected by hundreds of known vulnerabilities. Even if the routers got recent updates, many of these known vulnerabilities were not fixed” according to the report.
What Can You Do?
Check to make sure your router gets automatic updates. If it doesn’t, it’s probably time to buy a router that does get automatic updates.
Check to see when the last time a patch was created for your router. The automatic update feature is useless if the vendor is not patching or is no longer supporting your router.
Use network segmentation to isolate your work computers, personal devices and IoT devices. In a pinch, consider connecting your work computers to the guest network of your home router.
Similar Between The Hacks articles:
The Home Router Security Report 2020 has been added to the Between The Hacks 2020 Cybersecurity Report Roundup.
Nigerian Instagram star extradited to US to face BEC charges
Ray Hushpuppi, the flashy Instagram star, was extradited from the United Arab Emirates (UAE) to Chicago where he will face charges for his part in a wide-spread business email compromise (BEC) scam campaign. Hushpyuppi’s real name is Ramon Olorunwa Abbas, age 37.
Abbas’ Instagram account has 2.5 million followers and shows picture after picture of him with expensive cars, private jets and designer clothing.
“The DOJ is charging Abbas with allegedly conspiring to launder hundreds of millions of dollars in BEC and other scams that targeted a US law firm’s client, a foreign bank and an English Premier League soccer club, among others” reports Naked Security.
To learn more about BEC attacks and what you can do to prevent becoming a victim, read the Between The Hacks article on BEC.
Apps Snooping Your Clipboard
A recent reports revealed that many Android and iOS apps are silently reading your clipboard. This is especially concerning for those of us who use password managers to prevent the re-use of passwords.
Researchers at Mysk have kept an updated list of offending apps on their site. The current list includes many news apps such as Fox News, Russia Today, The Wall Street Journal and CNBC. Other apps were also offenders, including LinkedIn, Bejeweled, Fruit Ninja, Bed Bath & Beyond and Overstock.
Apple’s iOS 14 developers-beta-release has a new privacy feature that alerts the user when an app accesses their clipboard. This video shows how this works and how many popular apps are looking at our clipboards.
This week a class-action lawsuit was filed against LinkedIn which alleges that the LinkedIn app had been "spying on its users" but also the other Apple devices owned by those users. This relates to the Universal Clipboard feature of iOS and macOS devices, which allows the sharing of clipboard data between them” according to Forbes.
While this is all very concerning, iDropNews reports that there are many valid reasons for apps to check the clipboard and provides some examples that make our lives easier.
What Can You Do?
If you’re using a password manager, check to see if it has a feature to clear the clipboard. LastPass has this feature in Settings > Security > Clear Clipboard.
On iOS, upgrade to iOS 14 as soon as it becomes available.
Until then, check this list to see which apps are still reading your clipboard and consider removing them if you are not comfortable with that activity.
Consider using a clipboard manager to give you access to your clipboard history so you can clear your clipboard but still have access to what was on the clipboard. Flycut is my favorite on macOS and there are many options for Windows, iOS, and Android.
Tip of the Week
The Internet’s Own Boy Documentary
This 2014 documentary chronicles the life and death of Aaron Swartz, an American computer programmer, writer, political organizer and Internet activist who was the co-founder of the popular website, Reddit.
The movie features interviews with Swartz’s family, friends and the internet luminaries who worked with him. The film tells his story up to his eventual suicide after a legal battle, and explores the questions of access to information and civil liberties that drove his work.
You can learn more at this website and you can watch the documentary for free on archive.org below or by using this link to watch directly on the archive.org website.
You can also own it or rent the documentary from Amazon.